HubSpot Expertise for Marketing, Sales & Service

HubSpot & DORA: How financial companies ensure compliance now

Written by Stefan Wendt | Aug 13, 2025 12:40:28 PM

Digital security and resilience are more important than ever in the financial sector. The Digital Operational Resilience Act (DORA), a new EU regulation that has been legally binding since January 17 of this year, plays a central role in this. For financial companies such as banks, insurance companies, asset managers and capital management companies (KVG), DORA is a must. But what exactly does DORA mean for the use of CRM systems such as HubSpot for banking and financial service providers?

What is DORA and why is it so crucial for the financial sector?

DORA stands for the Digital Operational Resilience Act. Translated, this means "digital operational resilience" or "digital operational resilience" for companies in the financial sector. DORA is an EU regulation that was imposed specifically for these companies. The primary objective is to protect against ICT-related disruptions (Information and Communication Technology). This regulation establishes uniform requirements for IT risk management, emergency planning and third-party provider control.

Especially in the financial sector, which handles a lot of sensitive data - from banking data to personal financial information - this protection is essential, not only in terms of GDPR compliance, but also in the context of DORA.

The 5 core requirements of DORA at a glance

To increase security in the financial sector, the DORA legislation sets out five key requirements that every regulated financial company and its service providers must meet:

  1. ICT risk management: you must clearly identify, classify and address IT risks. This includes regular vulnerability and risk analyses at system and process level, which must also be documented.
  2. Incident management and reporting (incident reporting): In the event of serious IT disruptions, there is an obligation to report to the responsible supervisory authority, such as BaFin. Attacks on SaaS systems such as HubSpot must also be reported.
  3. Digital business resilience tests: Your financial company must carry out regular penetration tests, recovery tests and simulations of system failures to check and document the resilience of your systems. Threat-Led Penetration Tests (TLPT) are also used here, which are carried out by Red Teams (ethical hackers).
  4. Third-party risk management: Contractual partners such as HubSpot must be checked, monitored and documented for their security. Importantly, there is no exception for Software-as-a-Service (SaaS) companies. SLAs (Service Level Agreements), audit rights and exit strategies are crucial here.
  5. Information exchange and governance: Responsibilities, IT strategies and governance models must be documented. Technical and organizational measures must be anchored in a DORA-compliant information security concept. A central contact person such as a Chief Information Security Officer (CISO) is often responsible for this.

Why HubSpot is "critical" for financial companies

Although CRM systems may seem harmless at first glance, they are highly relevant for financial companies under DORA. HubSpot is classified as critical software because it manages sensitive customer data and is often deeply integrated into your system landscape, where other sensitive data flows. Ticketing requests in customer service, for example, can contain very sensitive information. It is therefore essential to ensure that HubSpot meets the DORA requirements.

Current status: The European supervisory authorities have not yet classified HubSpot as a "critical infrastructure". This is because HubSpot does not generally store transaction data or similar highly sensitive banking system data. HubSpot does, however, offer functions for sensitive data fields in order to manage relevant information securely for regulatory purposes. However, it is important to note that this classification can change at any time.



How HubSpot supports you with DORA compliance

HubSpot has taken proactive steps to help financial organizations with DORA compliance. The most important resources are:

🔗 HubSpot's DORA Addendum:
This official contractual document refers to the EU regulation and contractually and operationally secures the regulatory requirements for financial companies. It is valid for all fee-based HubSpot accounts and covers topics such as server locations (hosting in the EU), sub-processors, data recovery, backups, employee training and insolvency support. It also regulates the export of data and termination rights.

🔗 The official DORA FAQ from HubSpot:

This document provides a general overview of DORA and detailed answers on how HubSpot helps with DORA compliance. It references the DORA Addendum, mentions 24/7 Incident Response Teams and the technical and organizational security measures (such as DPAs and SoC2 certifications).

🔗 The Trust Center from HubSpot:

Here you can download or view important documents such as the SoC2 certification (a certification standard for cloud providers). The Trust Center also provides reports on penetration tests that HubSpot carries out regularly.

These comprehensive measures show that HubSpot, as a premium software, places a high focus on security and compliance.


Concrete steps for your company to achieve DORA compliance with HubSpot

To be on the safe side, you should take the following steps as a financial company:

  • Check and document HubSpot's DORA addendum: Include the DORA addendum provided by HubSpot in your internal document vault. It regulates basic security and is a central component of your compliance strategy.
  • Use the Trust Center: Download all documentation on certifications (e.g. SoC2), Red Teaming tests and contract documents for subcontractors from the HubSpot Trust Center.
  • Contract review and amendment: Make sure that you have concluded the necessary contractual agreements such as Data Processing Agreements (DPAs) and non-disclosure agreements with your service providers, including HubSpot and service partners.
  • Sensitive data in HubSpot: If you store critical functions or sensitive data in HubSpot, ensure that the appropriate settings (e.g. sensitive data fields) are used and that the requirements for penetration tests and audits are met.
  • Create internal awareness: Create awareness for DORA in all departments and establish responsibilities for DORA-compliant processes.
  • Regular review: DORA is a constantly evolving process. Keep up to date with updates to the HubSpot Trust Center and new regulations.

HubSpot & DORA Conclusion: Be proactive!

DORA will reach all regulated financial companies sooner or later. It is crucial to approach the topic proactively. The ongoing development of DORA and HubSpot requires constant attention and adaptability to ensure the digital resilience of your company in the long term. Transparent handling of sensitive data - as explained here using the example of data protection in CRM - is a decisive factor here.

The implementation of DORA can be complex. Experienced service providers and partners can help you to comply with the guidelines and create security concepts. If you need support in checking and implementing DORA compliance for HubSpot, then make an individual appointment.

For example, we offer a DORA audit for HubSpot, which helps you to make clever use of the addendum, centrally compile DORA-relevant articles, advise on secure integration (rights and role concepts, multi-factor authentication) and support you in planning penetration tests.

If you want to stay up to date with the latest trends in CRM, subscribe to our free newsletter here.
View full post